CVE-2021-28680

Name of the Vulnerable Software and Affected Versions: devise masquerade gem versions prior to 1.3

Description: The devise masquerade gem loses one layer of security protection compared to using Devise without this extension, allowing certain attacks when a password's salt is unknown. If the server-side secret key base value becomes publicly known, other protections prevent an attacker from impersonating any user on the site. In a plain Devise application, an attacker must know the password salt of the target user to encrypt and sign a valid session cookie. However, with devise masquerade, an attacker can decide which user the "back" action will go back to without knowing that user's password salt, simply by knowing the user ID and manipulating the session cookie.

Recommendations: For devise masquerade gem versions prior to 1.3, update to version 1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the secret key base value and limiting the use of the masquerade feature to minimize the risk of exploitation. Avoid committing sensitive values like secret key base to public repositories.